Improper Access Control Vulnerability in Mintplex-Labs Anything-LLM Application
CVE-2024-3279

9.1CRITICAL

Key Information:

Vendor: Mintplex-labs
Status: Mintplex-labs/anything-llm
Vendor: CVE Published:; 12 August 2024

🔔 Create Mintplex-labs Vulnerability Alert

What is CVE-2024-3279?

An improper access control vulnerability has been identified in the Anything-LLM application developed by Mintplex Labs. This vulnerability is found specifically in the import endpoint, where an unauthorized user can exploit the system. By bypassing authentication, an attacker can import a malicious database file that can delete or corrupt the existing 'anythingllm.db' file. This manipulation not only jeopardizes the integrity of the affected database but also allows attackers to serve harmful data or gather sensitive user information. The root cause of this vulnerability lies in the application's inadequate restrictions on import functionality, highlighting a critical security oversight.

Affected Version(s)

mintplex-labs/anything-llm < 1.0.0

References

https://huntr.com/bounties/303c5145-2c14-4945-914a-936be7...

https://github.com/mintplex-labs/anything-llm/commit/08d3...

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 12, 2024
Vulnerability Reserved
Apr 3, 2024